e2e: add insecure deployment test

This adds a basic E2E test for the insecure runtimes.

Author: msanft

.github/workflows/e2e_manual.yml

@@ -19,6 +19,7 @@ on:
           - gpu
           - imagepuller-auth
           - imagestore
+          - insecure
           - kds-pcs-downtime
           - memdump
           - multi-runtime-class

e2e/insecure/insecure_test.go

@@ -0,0 +1,120 @@
+// Copyright 2026 Edgeless Systems GmbH
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build e2e
+
+package insecure
+
+import (
+	"context"
+	"flag"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/contrast/e2e/internal/contrasttest"
+	"github.com/edgelesssys/contrast/internal/kuberesource"
+	"github.com/edgelesssys/contrast/internal/manifest"
+	"github.com/edgelesssys/contrast/internal/platforms"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	secureDeployment   = "secure-pod"
+	insecureDeployment = "insecure-pod"
+)
+
+// TestInsecure deploys a secure and an insecure pod side by side and verifies
+// that only the secure pod runs inside a TEE.
+func TestInsecure(t *testing.T) {
+	platform, err := platforms.FromString(contrasttest.Flags.PlatformStr)
+	require.NoError(t, err)
+
+	insecurePlatform := platform.InsecureVariant()
+	if insecurePlatform == platforms.Unknown {
+		t.Skip("no insecure variant for platform", platform)
+	}
+
+	// The generate and verify commands require this env var for insecure platforms.
+	t.Setenv("CONTRAST_ALLOW_INSECURE_RUNTIMES", "1")
+
+	ct := contrasttest.New(t)
+	ct.Platform = insecurePlatform // Required so RunGenerate/RunVerify pass --INSECURE.
+
+	secureHandler, err := manifest.RuntimeHandler(platform)
+	require.NoError(t, err)
+	insecureHandler, err := manifest.RuntimeHandler(insecurePlatform)
+	require.NoError(t, err)
+
+	resources := kuberesource.CoordinatorBundle()
+	// Patch the coordinator with the insecure runtime handler.
+	resources = kuberesource.PatchRuntimeHandlers(resources, insecureHandler)
+	resources = kuberesource.AddPortForwarders(resources)
+
+	// Add deployments *after* PatchRuntimeHandlers to retain control over the RuntimeClassNames.
+	resources = append(resources, kuberesource.DeploymentWithRuntimeClass(secureDeployment, secureHandler))
+	resources = append(resources, kuberesource.DeploymentWithRuntimeClass(insecureDeployment, insecureHandler))
+
+	ct.Init(t, resources)
+	require.True(t, t.Run("generate", ct.Generate), "contrast generate needs to succeed for subsequent tests")
+	require.True(t, t.Run("apply", ct.Apply), "Kubernetes resources need to be applied for subsequent tests")
+	require.True(t, t.Run("set", ct.Set), "contrast set needs to succeed for subsequent tests")
+	require.True(t, t.Run("contrast verify", ct.Verify), "contrast verify needs to succeed for subsequent tests")
+
+	t.Run("pods use correct runtime classes", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(t.Context(), ct.FactorPlatformTimeout(2*time.Minute))
+		defer cancel()
+		require := require.New(t)
+
+		securePods, err := ct.Kubeclient.PodsFromDeployment(ctx, ct.Namespace, secureDeployment)
+		require.NoError(err)
+		require.Len(securePods, 1)
+		assert.True(t, strings.HasPrefix(*securePods[0].Spec.RuntimeClassName, secureHandler))
+
+		insecurePods, err := ct.Kubeclient.PodsFromDeployment(ctx, ct.Namespace, insecureDeployment)
+		require.NoError(err)
+		require.Len(insecurePods, 1)
+		assert.True(t, strings.HasPrefix(*insecurePods[0].Spec.RuntimeClassName, insecureHandler))
+	})
+
+	t.Run("pods start", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(t.Context(), ct.FactorPlatformTimeout(2*time.Minute))
+		defer cancel()
+		require := require.New(t)
+
+		require.NoError(ct.Kubeclient.WaitForDeployment(ctx, ct.Namespace, secureDeployment))
+		require.NoError(ct.Kubeclient.WaitForDeployment(ctx, ct.Namespace, insecureDeployment))
+	})
+
+	t.Run("secure pod runs in TEE", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(t.Context(), ct.FactorPlatformTimeout(1*time.Minute))
+		defer cancel()
+		require := require.New(t)
+
+		stdout, stderr, err := ct.Kubeclient.ExecDeployment(ctx, ct.Namespace, secureDeployment, []string{
+			"/usr/local/bin/bash", "-c", "dmesg | grep -i -E 'tdx|sev|snp'",
+		})
+		require.NoError(err, "stderr: %q", stderr)
+		require.NotEmpty(strings.TrimSpace(stdout), "expected TEE-related dmesg output in secure pod")
+	})
+
+	t.Run("insecure pod does not run in TEE", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(t.Context(), ct.FactorPlatformTimeout(1*time.Minute))
+		defer cancel()
+
+		// grep exits with 1 when no lines match, so we expect an error here.
+		stdout, _, _ := ct.Kubeclient.ExecDeployment(ctx, ct.Namespace, insecureDeployment, []string{
+			"/usr/local/bin/bash", "-c", "dmesg | grep -i -E 'tdx|sev|snp'",
+		})
+		assert.Empty(t, strings.TrimSpace(stdout), "expected no TEE-related dmesg output in insecure pod")
+	})
+}
+
+func TestMain(m *testing.M) {
+	contrasttest.RegisterFlags()
+	flag.Parse()
+
+	os.Exit(m.Run())
+}

e2e/internal/contrasttest/contrasttest.go

@@ -231,6 +231,9 @@ func (ct *ContrastTest) RunGenerate(ctx context.Context) error {
 	if Flags.GenpolicyCachePath != "" {
 		args = append(args, "--genpolicy-cache-path", Flags.GenpolicyCachePath)
 	}
+	if platforms.IsInsecure(ct.Platform) {
+		args = append(args, "--INSECURE")
+	}
 	args = append(args, ct.WorkDir)
 
 	generate := cmd.NewGenerateCmd()
@@ -365,7 +368,11 @@ func (ct *ContrastTest) RunVerify(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, 3*time.Minute)
 	defer cancel()
 
-	if err := ct.runAgainstCoordinator(ctx, cmd.NewVerifyCmd()); err != nil {
+	var verifyArgs []string
+	if platforms.IsInsecure(ct.Platform) {
+		verifyArgs = append(verifyArgs, "--INSECURE")
+	}
+	if err := ct.runAgainstCoordinator(ctx, cmd.NewVerifyCmd(), verifyArgs...); err != nil {
 		return err
 	}
 
@@ -569,7 +576,8 @@ func (ct *ContrastTest) runAgainstCoordinator(ctx context.Context, cmd *cobra.Co
 // Baseline is AKS.
 func (ct *ContrastTest) FactorPlatformTimeout(timeout time.Duration) time.Duration {
 	switch ct.Platform {
-	case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.MetalQEMUSNPGPU, platforms.MetalQEMUTDXGPU:
+	case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.MetalQEMUSNPGPU, platforms.MetalQEMUTDXGPU,
+		platforms.MetalQEMUSNPInsecure, platforms.MetalQEMUTDXInsecure, platforms.MetalQEMUSNPGPUInsecure, platforms.MetalQEMUTDXGPUInsecure:
 		return 2 * timeout
 	default:
 		panic(fmt.Sprintf("FactorPlatformTimeout not configured for platform %q", ct.Platform))

internal/platforms/platforms.go

@@ -75,6 +75,23 @@ func (p Platform) String() string {
 	}
 }
 
+// InsecureVariant returns the insecure (non-CC) variant of the
+// platform, or Unknown if there is no such variant.
+func (p Platform) InsecureVariant() Platform {
+	switch p {
+	case MetalQEMUSNP:
+		return MetalQEMUSNPInsecure
+	case MetalQEMUTDX:
+		return MetalQEMUTDXInsecure
+	case MetalQEMUSNPGPU:
+		return MetalQEMUSNPGPUInsecure
+	case MetalQEMUTDXGPU:
+		return MetalQEMUTDXGPUInsecure
+	default:
+		return Unknown
+	}
+}
+
 // MarshalJSON marshals a Platform type to a JSON string.
 func (p Platform) MarshalJSON() ([]byte, error) {
 	return fmt.Appendf(nil, `"%s"`, p.String()), nil

packages/by-name/contrast/e2e/package.nix

@@ -71,6 +71,7 @@ buildGoModule {
     "e2e/gpu"
     "e2e/imagepuller-auth"
     "e2e/imagestore"
+    "e2e/insecure"
     "e2e/kds-pcs-downtime"
     "e2e/memdump"
     "e2e/multi-runtime-class"